MAL-2026-4530

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cloudsmith-vsc/MAL-2026-4530.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4530

Published

2026-05-21T20:18:50Z

Modified

2026-05-26T06:02:23.149815690Z

Summary

Malicious code in cloudsmith-vsc (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (2b49ad4432747f754181e7a8428aff5fd2613f9d86283f05a04c2dd1f9ac2f2f)

package.json declares a preinstall hook ("preinstall": "node index.js") that runs automatically on npm install. index.js reads installer-side system identity and files — os.hostname(), os.userInfo(), homedir, DNS configuration, package metadata, /etc/passwd, and /etc/hosts — and POSTs them over HTTPS to a hardcoded Burp Collaborator subdomain (6hoa7n94q5v6yig1hqokwg6f066zupie.oastify.com). The package metadata is empty (no description, author, or license) and the name impersonates the Cloudsmith vendor brand, consistent with a dependency-confusion / typosquat recon-and-exfil payload. Any machine that installs this package transmits host fingerprinting and local account data to the attacker.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "2b49ad4432747f754181e7a8428aff5fd2613f9d86283f05a04c2dd1f9ac2f2f",
            "id": "IN-MAL-2026-004014",
            "source": "amazon-inspector",
            "modified_time": "2026-05-21T20:18:50Z",
            "versions": [
                "2.1.2"
            ],
            "import_time": "2026-05-26T05:51:46.301697711Z"
        },
        {
            "sha256": "b426dccab89457fd791a8fd83473fe7afa862d2e532c41b1fd635bb251e5c830",
            "id": "IN-MAL-2026-004015",
            "source": "amazon-inspector",
            "modified_time": "2026-05-21T20:18:50Z",
            "versions": [
                "2.1.2"
            ],
            "import_time": "2026-05-26T05:51:46.418503203Z"
        }
    ]
}

References

https://www.npmjs.com/package/cloudsmith-vsc/v/2.1.2

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / cloudsmith-vsc

Package

Name: cloudsmith-vsc; View open source insights on deps.dev
Purl: pkg:npm/cloudsmith-vsc

Affected ranges

Affected versions

2.*

2.1.2

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cloudsmith-vsc/MAL-2026-4530.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "domains": [
        "6hoa7n94q5v6yig1hqokwg6f066zupie.oastify.com"
    ],
    "evidence_files": [
        {
            "sha256": "90a1bfca0b7c5f70251dcb2a80f5be735ee867b0423d74de994de7dc6c895a30",
            "tlsh": "36412395a2c917330de250c06a0c70842359fa777169e8d076cf42d6af869f8bb726f3",
            "path": "index.js"
        },
        {
            "sha256": "6cb0e7edb6061c94dd2db1047811b2963f309cc734912b4a315588eaffb58b49",
            "tlsh": "00d05e244e21663365c502a60c2b944a62a18f2b05043c08638b182c919e677a8fb31d",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "cloudsmith-vsc-2.1.2.tgz",
            "hashes": {
                "sha1": "183b643957e6888802a34a88a046be57cf31e36d",
                "sha512_sri": "sha512-Z/tEK9ouOUj4aZJWBdhQNKMetFQbhDHRZYKNEv+W7g7SONLNZhiCeOxBvIUsv9yY5gZv8QKCo0FpV4p8+QlVTw=="
            }
        }
    ]
}